[Openid-specs-ab] Some feedback on OpenID Connect spec family
Michael.Jones at microsoft.com
Wed Jul 13 18:33:54 UTC 2011
Agreed. One of the principles of this work has been that all data structures use JSON representations.
From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Breno de Medeiros
Sent: Wednesday, July 13, 2011 11:10 AM
To: Andrew Arnott
Cc: openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] Some feedback on OpenID Connect spec family
On Wed, Jul 13, 2011 at 07:40, Andrew Arnott <andrewarnott at gmail.com> wrote:
> I'm glad to hear there are safe ways to parse JSON. Perhaps pointing
> this out in the security considerations section is all that is necessary.
Agree it is an important security topic to discuss, but would prefer not to add support for alternative format to JSON since JSON is so baked-in into OAuth2.
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the
> death your right to say it." - S. G. Tallentyre
> On Wed, Jul 13, 2011 at 7:06 AM, Nat Sakimura <sakimura at gmail.com> wrote:
>> On Wed, Jul 13, 2011 at 10:41 PM, Andrew Arnott
>> <andrewarnott at gmail.com>
>>> On Wed, Jul 13, 2011 at 6:32 AM, John Bradley <ve7jtb at ve7jtb.com> wrote:
>>>> On Wed, Jul 13, 2011 at 12:27 PM, Andrew Arnott
>>>> <andrewarnott at gmail.com>
>>>>> Some questions, or suggestions regarding the spec...
>>>>> Section 4.
>>>>> Why are UserInfo endpoint responses receivable in JSON? If it's
>>>>> using "eval" to execute arbitrary code from an untrusted server.
>>>>> Query string syntax would protect against this, and is at least as
>>>>> friendly to web servers as JSON is.
>>>> It was following OAuth's pattern of getting the response back in
>>>> JSON as well as following Facebook Graph API.
>>>> Perhaps it is better to define a Query string version of response
>>>> for the implicit flow. Opinions? > Connectors.
>>>> I don't know that having a key value form encoding of the User info
>>>> endpoint response necessarily makes sense with some of the claims
>>>> being JSON objects themselves.
>>>> I suppose it is something that we could add as an option if someone
>>>> can describe a serialization.
>>>> The default response should remain JSON for the user Info endpoint.
>>> If the default response should remain JSON, are we going to have in
>>> clients SHOULD NOT call the UserInfo endpoint and execute its
>>> results to deserialize the JSON objects? Do you agree that would be dangerous?
>> Yes. Use json_parse.js or json-sans-eval like JSON parser which does
>> not do eval.
>> Nat Sakimura (=nat)
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
More information about the Openid-specs-ab